I am currently looking to generate a list of buckets together with their metadata within my org and merge them with a field from audit logging. The field that I am interested in is the resource creator, to identify the accounts used to create the buckets.
First, to get the full list of buckets within my org as well as their metadata, I:
- gcloud projects list - to get the full list of projects within my org
- gcloud config set project {project_id} + for loop - to set project Id and run the subsequent lines project-by-project
- gcloud storage ls - to obtain the list of buckets within individual projects
- gcloud storage buckets describe {bucket_id} - to obtain more details pertaining to the bucket
- Write into a local csv file.
Now for finding the creator field, I thought of running:
- gcloud logging read "resource.type=gcs_bucket AND protoPayload.methodName="storage.buckets.create" - this by right should get me more data than I need for my work, since I only need the "creator" field.
- Perform join on the two tables
Now the problem is the "gcloud logging read" line does not output anything when running on Google cloud CLI. Later I saw from another SO post that freshness parameter must be included, so I added --freshness=360d and now the cli just takes forever to run.
Curiously, I did the same query on Logs Explorer console and found that the number of buckets creation actions performed in the past did not tally with the number of buckets found in my bucket list.
Since I could see some logs in Logs Explorer, I believe this shouldn't be a permissioning issue.
What have I possibly done wrong?
The following command did not work for me
Try
" was removed before storage